remcos | 5d00074d8fe36dde5b78c0233b25564afecb99befcdd6228eb48971c28e0f067 | Triage

Sharing

General

Target

5d00074d8fe36dde5b78c0233b25564afecb99befcdd6228eb48971c28e0f067.gz
Size

1.4MB
Sample

240728-bl376szarn
MD5

e59e66a0212320182715dc9aa7790b00
SHA1

62e2dd57b02fe78182995b72e792fa62cca08f5f
SHA256

5d00074d8fe36dde5b78c0233b25564afecb99befcdd6228eb48971c28e0f067
SHA512

244641b006669eee9dd394bd2491c7207ba73d9b4da640d9fecc42921c614c14a15a7c2bbe246628b38191c99a20bd2844b3e26c7fcb0bcd7faf9548cb1b6658
SSDEEP

24576:ObEjUD53ELMD7NzB3ORCw3G3OHJxphZ0Qtof5Kjcp7DmEXqw4rIfMj5TBF:ilD53Eu7xFORH2epxpUf5qcZmEK0fC5D

Score

10^/10

remcos remotehost collection credential_access discovery persistence rat stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:54888

zuesremmy.duckdns.org:54888

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-Z19JY9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Payroll for July.PDF.bat
- Size
  
  4.9MB
- MD5
  
  221325197f9623e7be8285e05b28c8db
- SHA1
  
  e96b0bf85a8b3e9544eed7b2db4db08bbaee5707
- SHA256
  
  68711195c07e287987488f7045c7147501ccfbae22318b8460d01a86d2f09599
- SHA512
  
  30b445175c2700065cfecc18d839f4129297435f94649fc5f5fdc489a3151e4544abcf40e2923e2d2002e438f6bf03cdc4cdbd21d44344cc2306c25cc401e98e
- SSDEEP
  
  49152:qILm52gH9tPNjLtDgqYQQLg74MmPp1E1TlUQdbKvqsCOP1Ru4JmB/po9c4:5
Score

10^/10

remcos remotehost discovery persistence rat collection credential_access stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoverypersistencerat

behavioral2

remcosremotehostcollectioncredential_accessdiscoverypersistenceratstealer